Cloud storage that really can't be tapped by the government is a rare thing.

After eight years of existence, file sharing service Box has built a huge user base—claiming 180,000 businesses, including 97 percent of the Fortune 500—by offering cloud storage and collaboration tools with top-notch security and regulatory compliance.

But while Box may be resistant to most criminal hackers, like most cloud storage companies, it must provide the government with customer data when it is forced to. For the vast majority of Box customers, that isn't likely to change. However, the company is developing a system for the most security-conscious customers in which even Box management would not be able to decrypt user data—making it resistant to requests from the National Security Agency.

Box co-founder and CEO Aaron Levie spoke with Ars last week to promote the launch of a new collaboration tool called Box Notes and answered our questions about Box's encryption model.

While a service like SpiderOak says it provides total secrecy by making data inaccessible to its employees without the customer's password, Box's collaboration tools would be difficult to implement in a model that puts customers in complete control of their data.

"From an architectural standpoint, we are certainly more like a Google or Microsoft in that we are encrypting all the data on both transit and storage, but we obviously have to manage the encryption key because as a collaborative application we have to broker that exchange between multiple users," Levie told Ars. "To make it a seamless experience, it requires us to have those keys."

Avoiding the appearance of selling customers out to the government is an important business concern. Forrester analyst James Staten has argued that US IT firms could lose $180 billion in business over the next few years because of the NSA spying scandal. The label "NSA-proof" may not be achievable by any cloud service, though there are technological steps companies can take to gain users' trust.

Box security chief Justin Somaini recently told VentureBeat that the company would never install a backdoor for the government to take customer data. That doesn't mean it never hands files to the government when it's forced to. "If there is a data request by the government, that's something we generally comply with," Levie told Ars.

Box's security model—featuring armed guards protecting data centers, SSL encryption in transit, 256-bit AES encryption at rest, and compliance with HIPAA and other regulatory standards—is still good enough to cover about 95 percent of companies' security requirements, Levie noted. "But some businesses are either so regulated or so sensitive that we want to make sure we're able to work with them as well," he said.

“More than conceptual”

That's why Box is working on a new idea: letting customers themselves hold the encryption keys. "We are exploring ways that in the future our customer would be responsible for its keys, and that's something we may make available to some of the largest organizations," Levie said.

This is "more than conceptual," he said, when asked if it's just an idea or something actively being developed. He didn't provide any timeline, saying, "There's so much potential for unforeseen stuff" and that "the strategic roadmap is always very dynamic." Nonetheless, "it's something we are actively pushing on."

Box's name hasn't been paired with the NSA in nearly as many news articles as Google or Microsoft, perhaps because of its small size relative to those companies and because its enterprise customers don't tend to be the focus of many terrorism-related inquiries. But there have been requests from some customers to manage their own keys.

"We have [gotten requests]," Levie said. "We've worked pretty closely with a bunch of large enterprises to understand what their [needs are]. This has been going on for over a year. It's obviously increased in conversation in the past couple of months."

It will be difficult to keep Box's collaborative focus when the customer controls its own keys, Levie said. For example, customers today could use local encryption before uploading data to Box if they were willing to deal with some extra annoyances.

"Technically, if you gave the encryption key to your collaborators, you could absolutely encrypt data before it goes to Box and then your collaborator could decrypt that data as they download it," Levie said. "We would then never have the unencrypted data in the process. The challenge, of course, is most average business people and enterprises are not going to go through that experience because our differentiation as a company is to take security and combine it with a very simple user experience around working with information."

Levie acknowledged that "it remains to be seen" if Box can solve all the different security demands businesses make while still providing good collaboration tools. But he thinks Box can come up with something "that makes people very comfortable."

"We are not stubbornly resisting technological solutions to this problem," he said. "We are evaluating every possible way that we can make our customers feel great about the privacy and security of their data, because this is our key differentiator as a company."

If you're expecting NSA-resistant cloud technology to be rolled out to home users or even small businesses, think again. "It's really only going to be aimed at the most conservative and most regulated businesses," Levie said. "This is not something we think we're going to introduce to our entire network. And so it's very, very early in that sense."

Box takes small step into Google and Microsoft territory

As mentioned earlier, Box today is unveiling Box Notes, the company's first stab at a content creation application. Box already integrates with Microsoft Office, Google Docs, and other platforms to let users edit files in their native applications and store them in Box.

Levie said he doesn't want to recreate a full office suite, noting that trying to replace every little feature of Microsoft Office is a losing proposition. Notes, however, will let Box create a new way for people to share work and ideas without being limited by the sharing capabilities of other vendors' tools.

Box Notes is going into a limited, private beta before hitting general availability at the end of this year or beginning of next year. Run in a Web browser, it looks a bit like Evernote or the Google Docs word processor, letting people edit simultaneously. A "note head" feature puts people's faces on the document like "chat heads" do with Facebook. Other features in the beta include commenting, an in-line toolbar, and annotations for leaving edits or hyperlinks to other Box content.

Mobile apps for iOS and Android are in the works. Other planned capabilities include embedding images, video, and audio into notes, version history, and offline editing using HTML5 caching.

Box Notes will be free to all customers, whether they use the free storage tier or have a paid business subscription. Access to the beta can be requested at www.box.com/notes.

E-mailing documents is still the mode of collaboration for many big companies, Levie noted. Small teams might be using Google Docs, but there are still a lot of users within Box's existing customer base that don't use anything like Box Notes, he said.

"We're not really going after the existing Google Docs base and trying to migrate everybody and say that 'this is a better solution for them,'" he said. "We're trying to create a solution that solves our customers' problems."

Box will continue supporting integration with Google Docs, which offers collaboration across a wider set of document types. Users can create a new Google Doc from within the Box Web app. "When the file is opened and is in the process of being edited, it does live in Google—which is how we're able to use Google's document creation tools—but as soon as the file is closed, it gets deleted from the user's Google account and once again lives exclusively inside of Box," a company spokesperson explained.

Box has a similar setup for Microsoft Office but only for the desktop applications. Levie would like to integrate with Office Web Apps, but Microsoft hasn't made that possible, he said. "We think the right solution technologically is a Word document in Box should be opened in Microsoft Web Office. And that depends on the APIs they make available. We want the file format to be coupled with the originating application, so you have the highest-fidelity experience," he said. "We would love to let people open their content in any third-party application, but we are to some extent dependent on and paralyzed by availability of those APIs."

Security and regulatory compliance will remain important selling points for Box as it expands the types of content it hosts for customers. The company puts its money where its mouth is, running almost entirely on cloud services.

"At Box we run on 15 or 20 different cloud solutions," Levie said. "We have maybe a couple of servers that only manage an internal network."

Levie's Twitter feed could be described as "Confucius for tech startup CEOs" with statements like, "Make sure you know the moments when the customer will change for you and the moments when you should change for the customer."

He talks pretty much the same way in person: "In our world, technology is moving to the background, information is moving to the foreground," he said. "We're going to need a new set of tools that power those experiences around information."

Promoted Comments

Since now we all know that the NSA hacks into users computers to steal their information, it wouldn't be hard for them to steal those keys from the user's computer.I think that to keep your business information safe you need to have a server not connected to the internet at all - and only saving information using a physical device - nicely encrypted with a 4 layer method. For all practical purposes anything that goes on the internet can be hacked by public or private cybercriminals. Cloud services are only for data that no one would mind giving away to the public - or a government agency for that matter.

Oh, if for some reason your activities require protection against the government and law enforcement , don't use this. Learn how to use your own tools , do not let your most basic tools or "technology" to be expropiated into to the "background" . Encrypt your own stuff

It really doesn't seem like a revolutionary idea to encrypt things on the client side, you can already do that with your preferred encryption method before uploading things to the cloud, what is box going to offer that makes things more convenient than, say, using 7-zip to put aes 256 on your files before uploading them?

Make it transparent and convenient? Manually encrypting files and then uploading them might be secure, but it's a hassle that most people, even techies, aren't going to go through. The whole point of storing data in the cloud is convenience and, in many cases, sharing. Security that gets in the way of that is almost certainly going to be security that doesn't get used.

End? No! I can see data security as a big growth industry now: "Buy our product/service to protect yourself from your own government!" Stimulates the economy in the same way that car thieves and burglars are good for the alarm and lock industries. Clever feds, propping up the economy so subtly...

Someone hand Aaron Levie a brush or a hat - he needs to do someonthign to that mop.

Quote:

After eight years of existence, file sharing service Box has built a huge user base—claiming 180,000 businesses, including 97 percent of the Fortune 500—by offering cloud storage and collaboration tools with top-notch security and regulatory compliance.

The part these companies usually leave out is that those same companies ARE NOT using them exclusively.

Quote:

While a service like SpiderOak says it provides total secrecy by making data inaccessible to its employees without the customer's password, Box's collaboration tools would be difficult to implement in a model that puts customers in complete control of their data.

Blah blah blah..... Nothing is inaccessible and nothing is permanently secure. If it can be accessed online by one person - it can be accessed by anyone else wanting to get to it.

Additionally - if they are going through the Web to access it - the weak link is still going to be Web-level security (a joke) no matter how much encryption locally you toss at it.

If you build a fortress and slap a window on it - the window still breaks with a rock.

Quote:

...Avoiding the appearance of selling customers out to the government is an important business concern...

Interesting use of terminology there. Not actually doing it - but making their customer think they're doing it. Very well scripted.

It really doesn't seem like a revolutionary idea to encrypt things on the client side, you can already do that with your preferred encryption method before uploading things to the cloud, what is box going to offer that makes things more convenient than, say, using 7-zip to put aes 256 on your files before uploading them?

It really doesn't seem like a revolutionary idea to encrypt things on the client side, you can already do that with your preferred encryption method before uploading things to the cloud, what is box going to offer that makes things more convenient than, say, using 7-zip to put aes 256 on your files before uploading them?

An encryption method that an NSA goon can't break in ten minutes between two games of Tetris?

It really doesn't seem like a revolutionary idea to encrypt things on the client side, you can already do that with your preferred encryption method before uploading things to the cloud, what is box going to offer that makes things more convenient than, say, using 7-zip to put aes 256 on your files before uploading them?

Make it transparent and convenient? Manually encrypting files and then uploading them might be secure, but it's a hassle that most people, even techies, aren't going to go through. The whole point of storing data in the cloud is convenience and, in many cases, sharing. Security that gets in the way of that is almost certainly going to be security that doesn't get used.

Think the only real option here is for SaaS providers to offload the pain on to customers; i.e. as an example - Box gets an info request from the NSA, Box hands over the data and leaves it to the NSA to go after the customer for the keys.

On the other hand, law on the books may state that said provider has to hand over the unencrypted data, i.e. NSA may turn around and say, "That's nice, now go get the keys for us, thanks".

If you look at this from the perspective of a non US based company, nothing in the world could induce us to store company data in a US based cloud server- for example we have worked on projects which were in direct competition with US based companies and ones well connected with the US military at that. I wonder what the chances are of our stuff ending up 'accidentally' in the wrong hands. If US based cloud companies want any overseas business, they have to fix this quickly and completely.

Maybe I'm missing something here, but why can't Box treat itself as a Web of Trust? It hold public keys for individuals who authenticate who they are (could be as simple as their company admin approving the request), and their private key could be stored in various ways. Then the user uses their private key to open the local Box app.

Then when you share things, before you load them, you decide who has access and it get encrypted for them right then. Sure, this means having lots of copies of broadly shared files, but with the exception of particularly large media files and CAD, that should not be an issue.

Maybe I'm underthinking this, and there's gaps in that process, but the central idea seems sound, and would still give you the same level of collaboration.

A rich text editor, encrypted channels and blog posts with commentaries enabled . What a revolution is not?

"In our world, technology is moving to the background, information is moving to the foreground," he said. "We're going to need a new set of tools that power those experiences around information."

A rich text editor, encrypted channels and blog posts with commentaries enabled . All they are saying is : "To make money we are trying to outsource your most basic tools , information repositories and channels"

Oh, if for some reason your activities require protection against the government and law enforcement , don't use this. Learn how to use your own tools , do not let your most basic tools or "technology" to be expropiated into to the "background" . Encrypt your own stuff

Carbonite allows you to generate a key locally and NOT upload it to them, so that only your local client can access your backup. (Of course, much like Skype, a government could pressure them into re-writing the client to on-demand upload your keys to the server.. (Skype simply tells the client to use server-side rather than client-side crypto when the government wants to snoop your calls.).

There's also a box-like service called SpiderOak (Maybe ars covered it a while ago?) that seems to use intelligent public-key crypto to keep the data on their servers secure from themselves.

I'm swaying towards Seafile. I'll always be suspicious of American companies from now, which is a shame as the issue is really with closed surveillance. It won't be long until I'll be closing my cloud storage accounts to switch to my own controlled environment.

The trouble is that you need SOME trusted platform anyway. If you do end-to-end encryption on the device you have to trust the device, the OS it is running and the client software. If you don't or can't trust these, encryption is worthless. Fixing one link in the chain isn't going to help if other links are crap.

And it looks indeed more and more as if the NSA is not going to leave their fingers off anything. And this even is somehow understandable from their point of view: If someone can offer some software/service that really is off limits for surveillance and that can be used by everyone what would that lead to? In the paranoid world of total control nothing but total control will do. Secure end-to-end encryption is basically something that must be defeated at all costs from this point of view.

I have said this a thousand times: This is not a technical problem and can not be solved by technical means. It's a political problem. At some point you must be able to trust your government to not abuse its power as you must be able to trust your bank not to run away with your money.

The trouble is that you need SOME trusted platform anyway. If you do end-to-end encryption on the device you have to trust the device, the OS it is running and the client software. If you don't or can't trust these, encryption is worthless. Fixing one link in the chain isn't going to help if other links are crap.

Not so. Fixing that link now means that the end-user (or more likely with Box, the IT admin) now has control of the OS/Keys/Local Network. So fixing that one link is massive, because everything inside that link can:

1. be monitored locally or by the admin2. getting to all those individual computers for keys is a much harder job.

It's a real step up, because it puts control of the keys literally in the user's hands.

The trouble is that you need SOME trusted platform anyway. If you do end-to-end encryption on the device you have to trust the device, the OS it is running and the client software. If you don't or can't trust these, encryption is worthless. Fixing one link in the chain isn't going to help if other links are crap.

And it looks indeed more and more as if the NSA is not going to leave their fingers off anything. And this even is somehow understandable from their point of view: If someone can offer some software/service that really is off limits for surveillance and that can be used by everyone what would that lead to? In the paranoid world of total control nothing but total control will do. Secure end-to-end encryption is basically something that must be defeated at all costs from this point of view.

I have said this a thousand times: This is not a technical problem and can not be solved by technical means. It's a political problem. At some point you must be able to trust your government to not abuse its power as you must be able to trust your bank not to run away with your money.

This is especially hard to accomplish if the NSA has backdoored the TPM chips in our computers ensuring clean boots! If they install, or possibly even activate an existing, keylogger, then it is game over before you even start. Like I have said, can we really even trust Bitlocker anymore?

That is were this whole spying scandal is leading too. Can we really trust anything including our own computers? Short of pulling it completely from the internet that is...

Think the only real option here is for SaaS providers to offload the pain on to customers; i.e. as an example - Box gets an info request from the NSA, Box hands over the data and leaves it to the NSA to go after the customer for the keys.

On the other hand, law on the books may state that said provider has to hand over the unencrypted data, i.e. NSA may turn around and say, "That's nice, now go get the keys for us, thanks".

Anyone in legal have any idea how this may actually play out?

At the very least, it would alert the end user that they are under investigation. And if the encryption key is password protected, you could at least try taking the fifth and see how the SCOTUS rules on it.

If you just want password storage then NSA-proof cloud storage has been widely available through numerous companies for a long while... I'm surprised that model hasn't bled over into file storage more than it has.

I guess it's a scary thing as a company owner - if you're housing documents for people that nobody can access except the users, you're likely sitting on a landmine. You'll probably have governments at your door asking for records of what IPs accessed what accounts at what times, and to hand over the encrypted data so their super-computers can try to crack the files. A complete mess really.

Think the only real option here is for SaaS providers to offload the pain on to customers; i.e. as an example - Box gets an info request from the NSA, Box hands over the data and leaves it to the NSA to go after the customer for the keys.

On the other hand, law on the books may state that said provider has to hand over the unencrypted data, i.e. NSA may turn around and say, "That's nice, now go get the keys for us, thanks".

Anyone in legal have any idea how this may actually play out?

They could be forced to provide the surveillance target with a 'poisoned' client (e.g. with a keylogger to get the passphrase). IIRC that was how Hushmail were able to hand over a customer's email to the Canadian courts.

Ostracus wrote:

And what about the spying done by the British or the French, not to mention other countries? No lost business there.

Most of the major cloud providers are located in the United States, and the United States is the only country where this sort of surveillance is actually legal.

It really doesn't seem like a revolutionary idea to encrypt things on the client side, you can already do that with your preferred encryption method before uploading things to the cloud, what is box going to offer that makes things more convenient than, say, using 7-zip to put aes 256 on your files before uploading them?

I wouldn't say revolutionizing just making things easier. Completely eliminate that last step of using 7-zip by doing it on the fly with all of your data when you upload automatically.

I am still confused as to why they wouldn't want their whole business have this functionality if their idea does become successful though.

And what about the spying done by the British or the French, not to mention other countries? No lost business there.

Most of the major cloud providers are located in the United States, and the United States is the only country where this sort of surveillance is actually legal.

The article mentions "lost business". That pretty much means, service providers OUTSIDE the United States. So who do you think the British and French are spying on again? In other words this "lost business" seems to be more about nationalism, than dealing with reality.

As a few on here have already stated, while this plan is ambitious and all, since there is no current regulation or law preventing the government from coming in secretly with a gag order and demanding a backdoor be installed for them, such a thing would nullify all this. We need only look at the likes of Lavabit and Silent Circle for that.

Until the laws are actually changed, anything providers (that operate within the borders of the US) do is moot and can be bypassed with a simple secret court order demand.

As a few on here have already stated, while this plan is ambitious and all, since there is no current regulation or law preventing the government from coming in secretly with a gag order and demanding a backdoor be installed for them, such a thing would nullify all this. We need only look at the likes of Lavabit and Silent Circle for that.

Until the laws are actually changed, anything providers (that operate within the borders of the US) do is moot and can be bypassed with a simple secret court order demand.

Open sourcing the encryption client would make it pretty hard to install a backdoor.

Since now we all know that the NSA hacks into users computers to steal their information, it wouldn't be hard for them to steal those keys from the user's computer.I think that to keep your business information safe you need to have a server not connected to the internet at all - and only saving information using a physical device - nicely encrypted with a 4 layer method. For all practical purposes anything that goes on the internet can be hacked by public or private cybercriminals. Cloud services are only for data that no one would mind giving away to the public - or a government agency for that matter.

Does it still operate from the US? sorry, but I'll find my service provider elsewhere.I waiting for the first decent non-american web services provider to ditch Google and Microsoft... shouldn't be too long now.

Perhaps I'm missing something in the article, but nothing what Levie presents here would motivate me to use their services. Methinks that a server, hosted in a country with half-decent data-protection/privacy legislation, with OwnCloud and Etherpad installed would seem a heck of a lot safer, no?

And since this apparently needs to be re-posted on occasion: Not everything can be replaced 1:1 just yet (ever?), but there's lots of 'safe' alternatives out there - clickie here: http://prism-break.org/

Since now we all know that the NSA hacks into users computers to steal their information, it wouldn't be hard for them to steal those keys from the user's computer.I think that to keep your business information safe you need to have a server not connected to the internet at all - and only saving information using a physical device - nicely encrypted with a 4 layer method. For all practical purposes anything that goes on the internet can be hacked by public or private cybercriminals. Cloud services are only for data that no one would mind giving away to the public - or a government agency for that matter.

The only security is physical security. Physical security is necessarily flawed in that physical sites can be breached. Secondary security (e.g. cryptology) is only as effective as it is new and its operators are skilled. As amusing as the idea of real-world Shadowrunners might sound to you, just remember that Shadowrun is more science fiction than fantasy.